Guide for Services Used by Children

If you’re an app or website owner whose service is knowingly collecting, using, or disclosing personal information from children under 13, then there are some special regulations that you are legally required to follow under the vast majority of legislations. “Personal information” within this context refers to the child’s name, location, any contact information, identification information (eg. social security number), device identifiers, IP address, photo, video or audio containing the child’s image or voice.

While this guide will separate US and EU law for your convenience, it should be noted that both cases the regulatory bodies have made it clear that the requirements of these laws will apply as long as you have or target users located in the region that these regulations are from. This means that it doesn’t matter if your business or servers are located in the region or not, the laws will still apply to you.

Legal Requirements

US LEGISLATION

Children’s Online Privacy Protection Act (COPPA) is a United States federal law which was put in place to better protect the personal data and rights of children under 13 years of age. Under COPPA, operators of websites or online services that are either directed to children under 13, or which have actual knowledge that they are collecting personal information from children under 13 must give notice to parents and get their verifiable consent before collecting, using, or disclosing such personal information and must keep secure the information they collect from children. “Verifiable” here means using a method of attaining consent that is not easily faked by a child and that is demonstrably likely to be given by an adult. (eg. control questions). Even after consenting, parents must also have the option to disallow disclosure to third parties if so desired, unless such disclosures are part of the service (for example, social networking).
A central requirement of this Act is having a COPPA-compliant privacy policy in place. You can read more compliance in the sections below and learn more about COPPA here.

EU LEGISLATION

Under EU GDPR regulations, consent is one of the Lawful Reasons for processing the data of children. If using this basis for processing the data of children under 13, you must get verifiable consent from a parent or guardian unless the service you offer is a preventative or counseling service. You must make reasonable efforts (using available technology) to verify that the person giving consent actually holds parental responsibility for the child.
If using another lawful reason as the basis for processing a child’s data, you must consider factors such as the child’s competence to understand and agree to the processing, and the interests and fundamental rights of the child. Furthermore, if you target children over the age of 13, you must write** clear and age-appropriate privacy notices **for them so that they understand what they’re consenting to.
The right to erasure is particularly relevant in cases where a person gave consent to processing when they were a child. When processing the data of children, the law requires that you take appropriate measures to ensure that their data is safeguarded.

What are the consequences for noncompliance

Failure to comply with the COPPA regulations can result in heavy fines.
In one case the owners of the Xanga website were fined US$1 million in 2006 for COPPA violations of repeatedly allowing children under 13 to sign up for the service without getting their parent’s consent.
Similarly, failure to comply with EU GDPR regulations can result in fines of up to EUR 20 million (€20m) or 4% annual worldwide turnover (whichever is greater).

Practical steps toward compliance

What you need to do

Describe the types of personal information processed online from children, the purpose and the way it’s handled.

List all operators processing personal information. Name each third party operator involved in the processing including social plugins, widgets, and ad networks.

Describe parental rights in relation to their child’s data and the procedures to follow to exercise these rights.

Provide parents access to their child’s personal information to review and/or have the information deleted.

Give parents the opportunity to withdraw consent and prevent further processing of a child’s personal information.

Maintain the confidentiality, security, and integrity of data collected from children. This includes taking reasonable steps to ensure that such data is only released to third-parties capable of maintaining its confidentiality and security.

Ensure that you keep personal information collected online from a child for only as long as is necessary to fulfill the purpose for which it was collected. When no longer necessary, be sure to delete the information using secure measures to protect against its unauthorized access or use.

Do not make a child’s ability to access an online activity dependent on the child providing more information than what is reasonably necessary for the activity.

How iubenda can help

In terms of compliance with child data protection laws, one of the first logical steps is making sure that your privacy policy meets its legal obligations. With this in mind, we’ve built a solution that implements the strictest regulations from the major legislations into one inclusive yet easy-to-read policy.

While you’re separately required to implement methods to collect, record and verify parental consent, our privacy policy solution makes it easy for you to meet your disclosure obligations by allowing you to comprehensively disclose and define necessary details in a legally compliant way; we’ve also specifically included an additional, comprehensive COPPA clause to further simplify the process.

Click “add a service” then start typing the name of the service you’d like to add.

Select each applicable service from the list of suggestions that shows up, and customize by simply adding the specific types of personal data you collect. Our lawyer-crafted, pre-created clauses automatically include the relevant user-rights disclosures and service definitions based on your input here. Remember to include all services processing personal information including social plugins, widgets, and contact forms.

If your service targets children under 13 based in the US, you must add the COPPA clause using the same procedure above.

If you’d like to add a custom service clause, simply click the “create custom service” button and fill out the built-in form.

2) Fill out your web/app owner and contact details

Enter name and full address

Enter email address

Congratulations! Your policy has been created. Simply check that all the details are correct, then:

Easily embed wherever you’d like! (Remember, you’re required to choose a location that is easily accessible and visible to users throughout your website/app)

Our policies are created by lawyers, monitored by our lawyers and hosted on our servers to ensure that they are always up-to-date with the latest legal and third-party requirements. Our privacy policies also come with the option to include a cookie policy which is necessary to include if your website or app is using cookies.

You can read more about our policy generator and featureshere and read about our full range of solutionshere

Help

Country

The software, materials and assistance provided by iubenda have the only purpose of helping users with compliance regarding their legal requirements. In particular, the templates iubenda provides are generated automatically, yet every word of our template has been written and continuously revised by a skilled legal team. However, as can be easily understood, nothing can substitute a professional legal consultancy in the drafting of your privacy policy, cookie policy or of any other legal document or compliance procedure. Our service does its best to provide you with a starting point, like an extremely sophisticated templates book, but even if we strive to provide the best assistance possible, we cannot guarantee any conformity with the law, which only a lawyer can do. Nothing on this site, therefore, shall be considered legal advice and no attorney-client relationship is established. Please note that in some cases, depending on your legislation, further actions may be required to make your activity compliant with the law.